terminal services role installation on 2008 domain controller

I want to install terminal services on 2008 domain controller. It is planned for a company of 4 local users and 1 remote user with possible 2-3 more remote users in the future.
What i'm asking is:
a. For the 1st user - can I avoid installing TS role, and only add the remote user to remote access group?
b. What precautions I have to take in consideration when installing this configuration? What can go wrong when doing it?

When you want to give access to a server to more than 2 users concurrently you have to use the TS Role. TS Role is the Full version of Remote Desktop Feature. So you can not avoid using the TS Role in your case.

After the Installation of TS Role you will have to grant access to users to the TS Server. Then you will use the Remote Access Group to grant access to the users.

And something else. When the TS Role is Installed, it is bracing up any Remote Desktop Connection on the Server. So you can not distinguish which users Connect to Remote Desktop and which connect to TS Role, all connections are the same.

thanks,
Does that means that if i have only 1 or 2 remote users, it can work without TS role?
What permissions, except for being able to rdp, i have to give the remote user to prevent unsafe file security popups?

That exactly what is means.
With 1 or 2 users Concurrently you do not need to Install TS Role.

It is not clear to me if you are referring to Security Messages which pop ups with the RDP Connections, but if you are, this is a matter of the RDP version you will use.

To make it more clear.
If you make a RDP Connection from a Windows Vista or Windows 7 which support the new version of RDP (with NLA - Network Level Authentication) there will be no Security Errors. But if you make a RDP Connection from a XP Machine then there is nothing you can do (as far as i know) to make them stop.

Let's start with b.:
Don't do it. Invest into a (not too expensive) dedicated terminal server. A terminal server is basically nothing more than a multi-user *workstation*. A workstation with end-user applications installed is way more likely having to be reinstalled than a server is. Do you want to find yourself in a position having to restore your complete AD just because a user application has gone haywire? How expensive is it for your company if your DC goes down for a day because a user surfed from the DC to a website with malware on it?
That aside, it's a lot easier to attack a DC when you're already logged on to it; and any user application you install can increase the attack surface of your DC, while decreasing the stability of the system.
If hardware is an issue, install a free version of a virtualization solution (VMWare, XenServer, whatever) and run a virtualized DC and a virtualized terminal server on it.

As far as a. is concerned: on a terminal server, every user application has to be installed in installation mode (which, obviously, isn't possible if the TS role hasn't been added yet). If you're allowing users to access a server through the administrative RDP session, any user software you have installed so far will have to be uninstalled and reinstalled after adding the terminal server role, to avoid possible multi-user issues.

So did I say "don't run terminal services on a DC" yet? I might have, but you actually can't say it often enough.

Featured Post

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Background Information
Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…

For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…

This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions.
Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…

There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…